Nmap渗透测试指南

简介

Nmap，全名”Network Mapper”,中文名“网络映射器”，用于快速地扫描各种各样的网络以进行网络探测和安全审计，由Gordan Lyon创建于1996年并维护至今，是迄今为止最负盛名的扫描器之一。除了基本的网络端口扫描与远端指纹识别等这些基础功能之外，他也同时具备有相对完整的信息收集，数据库渗透与网络渗透测试等功能，并能在强大的脚本支持下做到几乎所有我们想要做到的网络扫描测试。Nmap是网络安全业界坚持GNU GPL并一直开放源代码的典范之一，开源精神的优秀案例。它是如此久负盛名，以至于每一个从事网络与网络安全相关工作的人员都应该了解并能够熟练使用Nmap

Nmap语法与常用参数介绍

Nmap在绝大多数情况下是在命令行下运行的，哪怕是使用它的GUI–Zenmap，也依旧需要遵守Nmap的相关语法，即

nmap [Option|Protocol] Target

而Nmap常用的参数主要包括但不限于:

• 主机发现
  • iR 随机选择目标
  • -iL 从文件中加载IP地址
  • -sL 简单的扫描目标
  • -sn Ping扫描-禁用端口扫描
  • -Pn 将所有主机视为在在线，跳过主机发现
  • -PS[portlist] （TCP SYN ping） 需要root权限
  • -PA[portlist] （TCP ACK ping）
  • -PU[portlist] （UDP ping）
  • -PY [portlist] （SCTP ping）
  • -PE/PP/PM ICMP回显，时间戳和网络掩码请求探测
  • -PO[协议列表] IP协议Ping
  • -n/-R 从不执行DNS解析/始终解析[默认：有时]
  • –dns-servers 指定自定义DNS服务器
  • –system-dns 使用OS的dns服务器
  • –traceroute 跟踪到每个主机的跃点路径
• 扫描技术
  • -sS 使用TCP的SYN进行扫描
  • -sT 使用TCP进行扫描
  • -sA 使用TCP的ACK进行扫描
  • -sU UDP扫描
  • -sI Idle扫描
  • -sF FIN扫描
  • -b[FTP中继主机] FTP反弹扫描
• 端口规格和扫描顺序
  • -p 扫描指定端口
  • –exclude-ports 从扫描中排除指定端口
  • -f 快速模式-扫描比默认扫描更少的端口
  • -r 连续扫描端口-不随机化
  • –top-ports 扫描[number]最常用的端口
• 服务/版本探测
  • -sV 探测服务/版本信息
  • –version-intensity 设置版本扫描强度（0-9）
  • –version-all 尝试每个强度探测
  • –version-trace 显示详细的版本扫描活动（用于调试）
• 脚本扫描
  • -SC 等效于 –script=defult
  • –script = [lua scripts],[lua scripts] 以逗号分隔的目录，脚本文件或脚本类别
  • –script-args = [n1=v1, n2=v2] 为脚本提供参数
  • –script-args-file=文件名 从文件名中加载脚本参数
  • –script-trace 显示发送和接受的所有数据
  • –script-updatedb 更新脚本数据库
  • –script-help=[lua scripts] 显示有关脚本的帮助
• 操作系统检测
  • -o 启用os检测
  • –osscan-limit 将os检测限制为可能的目标
  • –osscan-guess 推测操作系统检测结果
• 时间和性能
  • –host-timeout 设置超时时间
  • –scan-delay 设置探测之间的时间间隔
  • -T <0-5> 设置时间模板,值越小，IDS报警几率越低
• 防火墙/IDS规避和欺骗
  • -f 报文分段
  • -s 欺骗源地址
  • -g 使用指定的本机端口
  • –proxies [url,port] 使用HTTP/SOCK4代理
  • -data[hex string] 想发送的数据包中追加自定义的负载
  • –data-string 将自定义的ACSII字符串附加到发送数据包中
  • –data-length 发送数据包时，附加随机数据
  • –spoof-mac MAC地址欺骗
  • –badsum 发送带有虚假TCP/UNP/STCP校验和的数据包
• 输出
  • -oN 标准输出
  • -oX XMl输出
  • -oS script jlddi3
  • -oG grepable
  • -oA 同时输出三种主要格式
  • -v 信息详细级别
  • -d 调试级别
  • –packet-trace 跟踪发送和接收的报文
  • –reason 显示端口处于特殊状态的原因
  • –open 仅显示开放的端口
• 杂项
  • -6 启动Ipv6扫描
  • -A 启动Os检测，版本检测，脚本扫描和traceroute
  • -V 显示版本号
  • -h 帮助信息

在下载nmap后，可以使用nmap -h命令查看更详细的nmap语法与选项概要

Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
 Can pass hostnames, IP addresses, networks, etc.
 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
 -iL <inputfilename>: Input from list of hosts/networks
 -iR <num hosts>: Choose random targets
 --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
 --excludefile <exclude_file>: Exclude list from file
 HOST DISCOVERY:
 -sL: List Scan - simply list targets to scan
 -sn: Ping Scan - disable port scan
 -Pn: Treat all hosts as online -- skip host discovery
 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
 -PO[protocol list]: IP Protocol Ping
 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
 --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
 --system-dns: Use OS's DNS resolver
 --traceroute: Trace hop path to each host
 SCAN TECHNIQUES:
 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
 -sU: UDP Scan
 -sN/sF/sX: TCP Null, FIN, and Xmas scans
 --scanflags <flags>: Customize TCP scan flags
 -sI <zombie host[:probeport]>: Idle scan
 -sY/sZ: SCTP INIT/COOKIE-ECHO scans
 -sO: IP protocol scan
 -b <FTP relay host>: FTP bounce scan
 PORT SPECIFICATION AND SCAN ORDER:
 -p <port ranges>: Only scan specified ports
     Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
 --exclude-ports <port ranges>: Exclude the specified ports from scanning
 -F: Fast mode - Scan fewer ports than the default scan
 -r: Scan ports sequentially - don't randomize
 --top-ports <number>: Scan <number> most common ports
 --port-ratio <ratio>: Scan ports more common than <ratio>
 SERVICE/VERSION DETECTION:
 -sV: Probe open ports to determine service/version info
 --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
 --version-light: Limit to most likely probes (intensity 2)
 --version-all: Try every single probe (intensity 9)
 --version-trace: Show detailed version scan activity (for debugging)
 SCRIPT SCAN:
 -sC: equivalent to --script=default
 --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
        <Lua scripts> is a comma-separated list of script-files or
        script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
    probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
    and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Nmap主机发现

任何网络探测任务的最初几个步骤之一就是把一组IP范围(有时该范围是巨大的)缩小为 一列活动的或者您感兴趣的主机。扫描每个IP的每个端口很慢，通常也没必要。 当然，什么样的主机令您感兴趣主要依赖于扫描的目的。网管也许只对运行特定服务的 主机感兴趣，而从事安全的人士则可能对一个马桶都感兴趣，只要它有IP地址:-)。一个系统管理员 也许仅仅使用Ping来定位内网上的主机，而一个外部入侵测试人员则可能绞尽脑汁用各种方法试图 突破防火墙的封锁。
由于主机发现的需求五花八门，Nmap提供了一箩筐的选项来定制您的需求。 主机发现有时候也叫做ping扫描，但它远远超越用世人皆知的ping工具 发送简单的ICMP回声请求报文。用户完全可以通过使用列表扫描(-sL)或者 通过关闭ping (-P0)跳过ping的步骤，也可以使用多个端口把TCP SYN/ACK，UDP和ICMP 任意组合起来玩一玩。这些探测的目的是获得响应以显示某个IP地址是否是活动的(正在被某 主机或者网络设备使用)。 在许多网络上，在给定的时间，往往只有小部分的IP地址是活动的。 这种情况在基于RFC1918的私有地址空间如10.0.0.0/8尤其普遍。 那个网络有16,000,000个IP，但我见过一些使用它的公司连1000台机器都没有。 主机发现能够找到零星分布于IP地址海洋上的那些机器。
如果没有给出主机发现的选项，Nmap 就发送一个TCP ACK报文到80端口和一个ICMP回声请求到每台目标机器。 一个例外是ARP扫描用于局域网上的任何目标机器。对于非特权UNIX shell用户，使用connect()系统调用会发送一个SYN报文而不是ACK 这些默认行为和使用-PA -PE选项的效果相同。 扫描局域网时，这种主机发现一般够用了，但是对于安全审核，建议进行 更加全面的探测。
-P*选项(用于选择 ping的类型)可以被结合使用。 您可以通过使用不同的TCP端口/标志位和ICMP码发送许多探测报文 来增加穿透防守严密的防火墙的机会。另外要注意的是即使您指定了其它 -P*选项，ARP发现(-PR)对于局域网上的 目标而言是默认行为，因为它总是更快更有效。
–《Nmap参考指南》

Ping扫描

Ping扫描如其字面含义，只进行Ping对扫描目标进行扫描并回显出做出响应的主机，进而判断主机是否在线，达到获取目标信息而不会被轻易发现的目的。使用-sP选项以开启Ping扫描。在默认情况下Nmap会发送一个ICMP回声请求和一个TCP报文到目标端口。Ping扫描的优点是扫描时十分隐蔽，同时获取的信息仅包括主机存货状态与对应的IP，Mac地址，非常高效明了。

❯ nmap -sP 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 11:49 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.035s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

Nmap的Ping扫描我们也可以通过NetCat或者简单的包含Ping命令的Shell脚本实现从而进行简单的主机发现

NoPing扫描

既然大家都了解到了Ping扫描这一确认主机存活状态的扫描方式，自然会有一些防火墙会阻止外网的Ping操作。NoPing扫描常用于这一情形下，Nmap会使用不同于Ping的其他基于TCP/UDP/ICMP/IGMP协议的报文对目标进行扫描，实现防火墙穿透与规避并实现攻击者的扫描目的。开启NoPing扫描的选项参数是-P0(是数字0而非字母O)，-P0后可以接上一些协议作为参数，既上文提到的四个协议，在没有指定协议的情况下，Nmap会默认采用TCP、UDP和ICMP协议进行NoPing扫描。

❯ nmap -P0 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 13:31 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 46.91 seconds

与此同时，可以使用packet-trace选项了解Nmap是如何通过这些协议判断目标的存活状态的

TCP SYN Ping扫描

TCP SYN Ping扫描即通过发送设置了SYN标志位的TCP空报文（进行TCP握手）实现的扫描方式，通过-PS [port]开启，其中PORT可以是单个端口，也可以是一个以逗号分隔的端口列表，当端口未指时，默认扫描的端口号为80。Nmap的默认Ping扫描使用TCP ACK报文和ICMP Echo报文判断扫描目标的存活状态，如果这些报文被防火墙过滤了，攻击者可以尝试采用TCP SYN Ping扫描判断目标的存活状态

❯ nmap -PS 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 13:47 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.038s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 43.17 seconds

Nmap的TCP SYN Ping扫描是通过SYN/ACK和RST响应判断扫描目标的存活状态的，但有些情况下防火墙可能会丢弃RST包(例如误判为RST攻击)导致扫描结果不准确，攻击者可能需要通过制定扫描端口与扫描端口的范围来尽可能避免这种意外情况

TCP ACK Ping扫描

与TCP SYN Ping扫描非常类似类似，TCP ACK Ping扫描会发送一个设置了ACK标志位的TCP报文给扫描目标，从而穿透禁止了TCP SYN报文和ICMP Echo报文的防火墙，并通过扫描目标是否响应RST包判断目标的存活状态。开启TCP ACK Ping扫描的Nmap选项为-PA,-PA参数与-PS参数的使用方式类似，并且两者可以同时开启以同时进行两种扫描。

❯ nmap -PA 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:00 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.038s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 44.99 seconds

UDP Ping扫描

Nmap可以通过-PU选项开启UDP Ping扫描(需要root权限)，此时Nmap会发送一个空的UDP报文到指定端口，若端口未指定则默认为40125号端口。默认使用这样一个奇怪的端口是因为对于开放端口，很少会使用到这种扫描方式。UDP Ping扫描会发送空UDP包到扫描目标，若目标存活则目标会返回ICMP端口不可达错误(Destination Unreachable)，否则会返回各种ICMP错误信息，借此判断扫描目标存活状态

❯ sudo nmap -PU 80 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:12 CST
sendto in send_ip_packet_sd: sendto(6, packet, 28, 0, 0.0.0.80, 16) => No route to host
Offending packet: UDP 10.10.248.73:43355 > 0.0.0.80:40125 ttl=44 id=9028 iplen=7168 
sendto in send_ip_packet_sd: sendto(6, packet, 28, 0, 0.0.0.80, 16) => No route to host
Offending packet: UDP 10.10.248.73:43357 > 0.0.0.80:40125 ttl=47 id=22605 iplen=7168 
Nmap done: 2 IP addresses (0 hosts up) scanned in 2.10 seconds

这段演示命令需要指定端口号的原因是我惊奇地发现不指定端口号会得到以下结果

❯ sudo nmap -PU 7erry.com 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:13 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.09 seconds

ICMP Ping Types扫描

ICMP Ping Types扫描有3种扫描方式可供选择，分别采用了三种ICMP请求判断目标主机是否存活

-Pe 使用ICMP Echo扫描方式

通过-PE选项，Nmap会向目标发送ICMP Echo数据包探测目标是否在线，不过因为这一手段过于常用，非常多的主机的防火墙都会禁止这些报文,因此仅仅采用ICMP Echo扫描往往是不大够的。不过当攻击者处于内网中又或者使用Nmap的是一位需要监视内部网络的系统管理员时，这一扫描方式会比较大的用处

❯ nmap -PE 7erry.com
Warning:  You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:32 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.041s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 43.08 seconds

-PP 使用ICMP时间戳Ping扫描

虽然大部分的防火墙不允许ICMP Echo请求，但若配置不当，则可能会回复ICMP时间戳请求，故可通过-PP选项发送ICMP时间戳判断扫描目标的存活状态

❯ nmap -PP 7erry.com
Warning:  You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:37 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.043s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 43.06 seconds

-PM 使用ICMP地址掩码Ping扫描

-PM选项会进行ICMP地址掩码Ping扫描，这种扫描方式会试图用备选的ICMP等级Ping指定主机，通常有不错的穿透防火墙的效果

❯ nmap -PM 7erry.com
Warning:  You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:37 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.042s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 42.76 seconds

ARP Ping扫描

-PR指令通常在扫描局域网时使用，用以开启ARP Ping扫描。ARP Ping扫描在内网中往往是最有效的扫描方式，因为在本地局域网中防火墙基本不会禁止ARP请求。在默认情况下，如果Nmap发现扫描主机就在它所在的局域网中，便会进行ARP扫描，哪怕指定了不同的Ping类型(-PS,-PA)，Nmap也会对相同局域网内的目标使用ARP扫描，除非使用 --send-ip选项确认不使用ARP扫描

❯ arp -a
? (10.10.217.93) at 54:16:51:56:8d:39 on en0 ifscope [ethernet]
? (10.10.251.232) at 54:16:51:56:8d:39 on en0 ifscope [ethernet]
? (10.10.255.254) at 54:16:51:56:8d:39 on en0 ifscope [ethernet]
? (10.10.255.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]
mdns.mcast.net (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]

❯ nmap -PR 10.10.217.93
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 14:45 CST
Nmap scan report for 10.10.217.93
Host is up (0.034s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
20/tcp   filtered ftp-data
80/tcp   open     http
81/tcp   open     hosts2-ns
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
2007/tcp filtered dectalk
3306/tcp open     mysql
3333/tcp filtered dec-notes
5000/tcp open     upnp
5810/tcp filtered unknown
5998/tcp filtered ncd-diag
7000/tcp open     afs3-fileserver
7002/tcp filtered afs3-prserver

Nmap done: 1 IP address (1 host up) scanned in 19.38 seconds

列表扫描

列表扫描是主机发现的退化形式，通过-sL选项开启，它仅仅列出指定网络上的每台主机，不发送任何报文到目标主机。默认情况下，Nmap仍然会对主机进行反向域名解析以获取他们的名字

❯ nmap -sL 127.0.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 11:51 CST
Nmap scan report for localhost (127.0.0.1)
Nmap done: 1 IP address (0 hosts up) scanned in 0.01 seconds

禁止/开启DNS反向解析

当我们的扫描目标是ip地址且不需要知道ip地址对应的主机名时，显然此时再进行DNS反向解析这一不必要操作会很大的影响我们的扫描速度，在这一特定情况下，可以通过-n选项参数禁止Nmap进行DNS反向解析。与之对应的扫描选项参数是-R，此时Nmap会对目标ip地址进行DNS反向解析

❯ nmap -n 43.143.68.214
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 11:56 CST
Nmap scan report for 43.143.68.214
Host is up (0.039s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 42.71 seconds

使用系统域名解析器

有时为了加快访问速度添加CDN或者访问某些国外网站的国内节点，我们会通过host或本地DNS解析器添加DNS记录。如果需要让Nmap使用我们本地的DNS解析器，可以通过--system-dns选项参数指定

❯ nmap --system-dns 43.143.68.214
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 12:00 CST
Nmap scan report for 43.143.68.214
Host is up (0.039s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 43.34 seconds

IpV6扫描

Nmap扫描时默认使用IPv4的地址，当我们需要对IPv6的地址进行扫描时，需要通过-6参数开启IPv6地址扫描

TraceRoute

Nmap可以通过--traceroute选项进行路由跟踪，攻击者可以借此了解网络的通行状况并获得本地计算机到目标之间的节点信息

❯ sudo nmap --traceroute 7erry.com
Password:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 12:06 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   5.21 ms  10.21.39.254
2   5.24 ms  192.168.243.85
3   ... 13
14  36.95 ms 43.143.68.214

Nmap done: 1 IP address (1 host up) scanned in 10.87 seconds

SCTP INIT Ping扫描

有些主机可能会支持SCTP协议，Nmap可以通过-PY选项在传输层使用SCTP协议对目标进行扫描

端口扫描

由于系统的各种服务往往有其默认端口，即端口总是与各种网络服务有关。攻击者可以采用端口扫描技术，即人为发送端口扫描信息，通过判断接收到的回显信息判断端口上运行的网络服务的情况，借此了解目标主机上运行了哪些服务，这些服务是什么版本，进而找到攻击点

时序选项

Nmap可以通过-T[0-5]开启时序选项，时序选项有六个选项，分别是

• T0(偏执的)：非常慢的扫描，用于IDS逃避
• T1(鬼祟的)：缓慢的扫描，用于IDS逃避
• T2(文雅的)：降低速度以降低对带宽的消耗，此选项一般不常用
• T3(普通的)：默认，根据目标的反应自动调整时间
• T4(野蛮的)：快速扫描，常用的扫描方式，需要在较好的网络环境下进行扫描，请求可能会淹没目标
• T5(疯狂的)：极速扫描，牺牲准确度以提高扫描速度

在我的网络环境下用Nmap扫描我的网站7erry.com,T0大概耗费s,T5耗费24.87s

常用扫描方式

扫描时可以通过p参数指定扫描的端口号，或者是以-连接的端口号范围，又或者是以,分割的离散的端口号序列，端口号前可以通过T:或U:指定采用的传输层协议，同时使用T:和U:是需要使用,将其隔开

❯ nmap -p 80 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 12:39 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

❯ nmap -p 80-800 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 12:39 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).
Not shown: 719 filtered tcp ports (no-response)
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 32.18 seconds

❯ nmap -p U:88,T:443 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 14:46 CST
WARNING: Your ports include "U:" but you haven't specified UDP scan with -sU.
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).

PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

注意到存在WARNING: Your ports include “U:” but you haven’t specified UDP scan with -sU.
Nmap要求同时使用TCP和UDP时需要指定扫描模式，否则端口号会被加到所有协议列表

除此以外，Nmap对端口开放概率进行了调查，并将调查结果保存在了nmap-services中，可以通过--top-ports [n]参数扫描n个开放率最高的n个端口，或者通过--port-ratio [n]扫描开放概率高于n的端口

快速扫描

-F选项可以进行快速扫描，Nmap的nmap-services中包含了快速扫描中会默认进行扫描的端口，也可以用--datadir选项参数指定自己的nmap-services文件

❯ nmap -F 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 14:51 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
Not shown: 97 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds

TCP SYN扫描

TCP SYN扫描通过-sS选项开启，它常常被称为半开放扫描，因为它不会进行完整的建立TCP连接的3次握手，只会发送TCP SYN报文，如果收到RST报文则说明目标端口关闭，收到ACK/SYN报文则目标端口开放，收到ACK/SYN报文响应时Nmap会发送RST包代替ACK包以使连接中止。这样可以避免被目标主机察觉，隐蔽性比较高，同时也因此扫描速度比较快，并能够比较明确的区分出端口的开放状态，非常地高效故较为常用。

❯ sudo nmap -sS 7erry.com
Password:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:03 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.039s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 4.66 seconds

TCP连接扫描

当TCP SYN扫描无法使用时候，Nmap在进行TCP扫描时会默认使用TCP连接扫描。TCP连接扫描由-sT选项开启，与TCP SYN扫描不同的是它会完整进行3次握手，因此会在扫描目标的系统日志里留下记录，从蓝队角度考虑，如果在系统日志里发现大量来自同一来源的连接尝试，则可判断出他们的系统被Nmap进行了TCP连接扫描

❯ sudo nmap -sT 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:08 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.039s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt

Nmap done: 1 IP address (1 host up) scanned in 43.16 seconds

UDP扫描

UDP扫描由-sU选项参数开启，扫描速度较慢，与UDP主机发现工作原理一致，通过ICMP端口不可达错误回显判断端口的开放状态

❯ sudo nmap -sU -p 80  7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:13 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.035s latency).

PORT   STATE         SERVICE
80/udp open|filtered http

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

隐蔽扫描

隐蔽扫描可以躲过一些无状态防火墙的过滤，具有较好的防火墙穿透效果和隐蔽性，它有三个选项，分别是-sN,-sF,-sX

• -sN开启Null扫描，即发送非常规的TCP通信报文对扫描目标进行探测，它不会对数据包进行标记，若目标端口关闭则会得到RST报文回显，否则不会得到任何响应信息

• -sF开启FIN扫描，FIN扫描与TCP SYN扫描类似，只是发送的报文由SYN报文变为了FIN报文。若目标端口开放则会得到RST报文，若没有收到RST报文则目标端口处于关闭状态

• sX开启Xmas扫描，会发送FIN，PSH和URG标志位为1的报文，根据RFC793的规定，若目标端口开放，会得到RST报文作为响应

  ❯ sudo nmap -sN 7erry.com
  Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:21 CST
  Nmap scan report for 7erry.com (43.143.68.214)
  Host is up (0.037s latency).
  All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
  Not shown: 1000 open|filtered tcp ports (no-response)

  Nmap done: 1 IP address (1 host up) scanned in 38.85 seconds

  ❯ sudo nmap -sF 7erry.com
  Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:22 CST
  Nmap scan report for 7erry.com (43.143.68.214)
  Host is up (0.041s latency).
  All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
  Not shown: 1000 open|filtered tcp ports (no-response)

  Nmap done: 1 IP address (1 host up) scanned in 5.83 seconds

  ❯ sudo nmap -sX 7erry.com
  Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 15:23 CST
  Nmap scan report for 7erry.com (43.143.68.214)
  Host is up (0.037s latency).
  All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
  Not shown: 1000 open|filtered tcp ports (no-response)

  Nmap done: 1 IP address (1 host up) scanned in 5.17 seconds

针对Xmas扫描，如果扫描目标系统不遵循RFC793，则无论端口开放与否，都会得到RST报文响应

TCP ACK扫描

使用-sA选项参数可以开启TCP ACK扫描。TCP ACK扫描与TCP SYN扫描类似，会设置探测报文会ACK标志位为1。

❯ sudo nmap -sA 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 16:56 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

TCP窗口扫描

使用-sW可以进行窗口扫描，窗口扫描与ACK扫描类似，只不过窗口扫描通过判断返回的RST响应报文中标注的TCP窗口大小是否为0判断端口的开放状态

❯ sudo nmap -sW 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 17:01 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 5.10 seconds

TCP Maimon扫描

Maimon扫描是一个让我感动疑惑的扫描方式，Nmap官方指南是这样描述它的

Maimon扫描是用它的发现者Uriel Maimon命名的。他在 Phrack Magazine issue #49 (November 1996)中描述了这一技术。 Nmap在两期后加入了这一技术。 这项技术和Null，FIN，以及Xmas扫描完全一样，除了探测报文是FIN/ACK。 根据RFC 793 (TCP)，无论端口开放或者关闭，都应该对这样的探测响应RST报文。 然而，Uriel注意到如果端口开放，许多基于BSD的系统只是丢弃该探测报文

总而言之Maimon扫描似乎就是FIN扫描，可以通过-sM选项参数开启。

❯ sudo nmap -sM 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 17:06 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).
All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
Not shown: 1000 open|filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 39.07 seconds

自定义TCP扫描

Nmap提供的基于TCP的扫描方式还不止于此。攻击者可以通过使用--scanflags参数选项启用自定义TCP扫描。--scanflags后需要接上不由空格进行分隔的ACK,SYN,FIN等TCP首部行标志位的名字，例如--scanflags URGACKPSHRSTSYNFIN可以发送URG,ACK,PSK,RST,SYN,FIN标志位为1的探测报文进行扫描，若未指定标志位则默认进行SYN扫描

❯ sudo nmap --scanflags URGACKPSHRSTSYNFIN 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 17:11 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
All 1000 scanned ports on 7erry.com (43.143.68.214) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 5.24 seconds

空闲扫描

空闲扫描IdleScan，也可以叫做僵尸扫描，允许对目标进行真正的TCP端口盲扫描 (没有报文从真实IP地址发送到目标，也可以叫做端口完全欺骗扫描)。这一扫描方式非常复杂，简而言之它可以利用一台僵尸主机反弹给攻击者一个旁通信道从而进行端口扫描，使得IDS把僵尸主机当作攻击者达到隐蔽的效果。Nmap的作者为此写了一篇解释原理的非正式论文

IP协议扫描

虽然端口这一概念属于传输层以其以上，但是我们认为IP协议扫描也可以视作一种端口扫描。IP协议扫描通过发送空的IP报文头判断目标主机支持哪些IP协议，这一扫描方式可以借由-sO参数选项开启

❯ sudo nmap -sO 7erry.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-16 17:24 CST
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
Not shown: 255 open|filtered n/a protocols (no-response)
PROTOCOL STATE SERVICE
1        open  icmp

Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds

FTP Bounce扫描

-b选项可以开启FTP Bounce扫描，不过这一扫描方式由于在现在非常缺乏支持已经不大使用，故不再赘述

指纹识别与探测

Nmap同时还具有着对扫描目标的服务与版本进行识别的能力。Nmap的识别能力主要归功于Nmap-service，使用Nmap进行端口扫描发现端口后，Nmap会在包含了各种服务的报文的Nmap-service中的表达式进行匹配，从而识别对应的服务，服务协议，对应的应用程序，版本号，主机名，设备类型和操作系统等等。对于Nmap无法确定的版本，Nmap会给出每一个版本的几率让用户参考识别，攻击者确认版本后便可以利用对应的0day或者Nday漏洞进行Fuzz或直接渗透测试

服务识别与版本探测

Nmap通过-sV选项启用版本识别探测

❯ nmap -sV 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 18:39 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.12s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=12/16%Time=657D7E59%P=i686-pc-windows-windows%r
SF:(GetRequest,269C,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2010:39
SF::24\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"")%r(HTTPOptions,
SF:180,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nConte
SF:nt-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-
SF:Length:\x20143\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2010:39:24\x20GMT
SF:\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\
SF:">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\
SF:n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSP
SF:Request,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\x20defau
SF:lt-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20S
SF:at,\x2016\x20Dec\x202023\x2010:39:25\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset
SF:=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\
SF:x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.35 seconds

可以发现Nmap根据服务指纹识别出了我启用的SSH服务与其对应的版本

全端口版本探测

Nmap默认扫描1000个端口，除了-p指定端口以外，我们也可以直接通过--allports启用全端口的版本探测

❯ nmap -sV --allports 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 18:44 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.055s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=12/16%Time=657D7FA8%P=i686-pc-windows-windows%r
SF:(GetRequest,2118,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2010:44
SF::59\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"")%r(HTTPOptions,
SF:180,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nConte
SF:nt-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-
SF:Length:\x20143\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2010:44:59\x20GMT
SF:\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\
SF:">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\
SF:n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSP
SF:Request,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\x20defau
SF:lt-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20S
SF:at,\x2016\x20Dec\x202023\x2010:45:00\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset
SF:=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\
SF:x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.47 seconds

设置扫描强度

Nmap在扫描时可以根据设置进行不同强度的扫描。扫描强度通过--version-intensity [0-9]进行设置

轻量级扫描

使用--version-light选项参数即可进行轻量级扫描，它等价于--version-intensity 2。常适用于需要节省时间而放弃部分准确性的情况

❯ nmap -sV --version-light 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:00 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.044s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http?
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=2%D=12/16%Time=657D8346%P=i686-pc-windows-windows%r
SF:(GetRequest,2C20,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:00
SF::25\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"")%r(HTTPOptions,
SF:180,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nConte
SF:nt-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-
SF:Length:\x20143\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:00:25\x20GMT
SF:\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\
SF:">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\
SF:n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSP
SF:Request,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\x20defau
SF:lt-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20S
SF:at,\x2016\x20Dec\x202023\x2011:00:25\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset
SF:=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\
SF:x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.05 seconds

重量级扫描

使用--version-all选项参数即可进行重量级扫描，它等价于--version-intensity 9。此时Nmap会对扫描目标的每个端口尝试每个探测报文，消耗最长的时间但也有着最高的准确性

❯ nmap -sV --version-all 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:03 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.066s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=9%D=12/16%Time=657D83F9%P=i686-pc-windows-windows%r
SF:(GetRequest,3728,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:03
SF::24\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"")%r(HTTPOptions,
SF:180,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nConte
SF:nt-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-
SF:Length:\x20143\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:03:24\x20GMT
SF:\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\
SF:">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\
SF:n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSP
SF:Request,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\x20defau
SF:lt-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20S
SF:at,\x2016\x20Dec\x202023\x2011:03:25\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset
SF:=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\
SF:x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.60 seconds

获取详细版本信息

Nmap可以使用--version-trace选项参数获取更加详细的版本信息

nmap -sV --version-trace 7erry.com
Packet.dll present, library version 1.75
wpcap.dll present, library version: Npcap version 1.75, based on libpcap version 1.10.4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:09 中国标准时间
PORTS: Using ports open on 0% or more average hosts (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.4.
NSE: Arguments from CLI:
NSE: Loaded 46 scripts for scanning.
Packet capture filter (device eth2): dst host 10.21.34.93 and (icmp or icmp6 or ((tcp) and (src host 43.143.68.214)))
We got a ping packet back from 43.143.68.214: id = 1858 seq = 0 checksum = 63677
Overall sending rates: 75.47 packets / s, 2867.92 bytes / s.
mass_rdns: Using DNS server 202.114.0.131
mass_rdns: Using DNS server 202.114.0.242
mass_rdns: Using DNS server 202.114.0.131
mass_rdns: Using DNS server 202.114.0.242
mass_rdns: 0.05s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 4, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Packet capture filter (device eth2): dst host 10.21.34.93 and (icmp or icmp6 or ((tcp) and (src host 43.143.68.214)))
doAnyOutstandingRetransmits took 39ms
Overall sending rates: 435.51 packets / s, 19162.53 bytes / s.
NSOCK INFO [4.9660s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [4.9670s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:22 (IOD #1) EID 8
NSOCK INFO [4.9670s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [4.9730s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #2) EID 16
NSOCK INFO [5.0070s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [43.143.68.214:22]
Service scan sending probe NULL to 43.143.68.214:22 (tcp)
NSOCK INFO [5.0080s] nsock_read(): Read request from IOD #1 [43.143.68.214:22] (timeout: 6000ms) EID 26
NSOCK INFO [5.0090s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [43.143.68.214:80]
Service scan sending probe NULL to 43.143.68.214:80 (tcp)
NSOCK INFO [5.0090s] nsock_read(): Read request from IOD #2 [43.143.68.214:80] (timeout: 6000ms) EID 34
NSOCK INFO [5.0670s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [43.143.68.214:22] (41 bytes): SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1..
Service scan hard match (Probe NULL matched with NULL line 3524): 43.143.68.214:22 is ssh.  Version: |OpenSSH|8.9p1 Ubuntu 3ubuntu0.1|Ubuntu Linux; protocol 2.0|
NSOCK INFO [5.0670s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [11.0220s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [43.143.68.214:80]
Service scan sending probe GetRequest to 43.143.68.214:80 (tcp)
NSOCK INFO [11.0230s] nsock_write(): Write request for 18 bytes to IOD #2 EID 43 [43.143.68.214:80]
NSOCK INFO [11.0230s] nsock_read(): Read request from IOD #2 [43.143.68.214:80] (timeout: 4999ms) EID 50
NSOCK INFO [11.0230s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [43.143.68.214:80]
NSOCK INFO [11.0760s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [43.143.68.214:80] (14120 bytes)
NSOCK INFO [11.0760s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSOCK INFO [11.0760s] nsock_iod_new2(): nsock_iod_new (IOD #3)
NSOCK INFO [11.0870s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #3) EID 56
NSOCK INFO [11.1640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 56 [43.143.68.214:80]
Service scan sending probe HTTPOptions to 43.143.68.214:80 (tcp)
NSOCK INFO [11.1650s] nsock_write(): Write request for 22 bytes to IOD #3 EID 67 [43.143.68.214:80]
NSOCK INFO [11.1650s] nsock_read(): Read request from IOD #3 [43.143.68.214:80] (timeout: 4999ms) EID 74
NSOCK INFO [11.1650s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 67 [43.143.68.214:80]
NSOCK INFO [11.2010s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 74 [43.143.68.214:80] (384 bytes)
NSOCK INFO [11.2030s] nsock_read(): Read request from IOD #3 [43.143.68.214:80] (timeout: 4961ms) EID 82
NSOCK INFO [11.2030s] nsock_trace_handler_callback(): Callback: READ EOF for EID 82 [43.143.68.214:80]
NSOCK INFO [11.2030s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
NSOCK INFO [11.2030s] nsock_iod_new2(): nsock_iod_new (IOD #4)
NSOCK INFO [11.2040s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #4) EID 88
NSOCK INFO [11.2620s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 88 [43.143.68.214:80]
Service scan sending probe RTSPRequest to 43.143.68.214:80 (tcp)
NSOCK INFO [11.2870s] nsock_write(): Write request for 22 bytes to IOD #4 EID 99 [43.143.68.214:80]
NSOCK INFO [11.2870s] nsock_read(): Read request from IOD #4 [43.143.68.214:80] (timeout: 4975ms) EID 106
NSOCK INFO [11.2870s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 99 [43.143.68.214:80]
NSOCK INFO [11.7950s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 106 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [11.7960s] nsock_read(): Read request from IOD #4 [43.143.68.214:80] (timeout: 4466ms) EID 114
NSOCK INFO [11.7970s] nsock_trace_handler_callback(): Callback: READ EOF for EID 114 [43.143.68.214:80]
NSOCK INFO [11.7970s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
NSOCK INFO [11.7970s] nsock_iod_new2(): nsock_iod_new (IOD #5)
NSOCK INFO [11.7970s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #5) EID 120
NSOCK INFO [11.8330s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 120 [43.143.68.214:80]
Service scan sending probe X11Probe to 43.143.68.214:80 (tcp)
NSOCK INFO [11.8470s] nsock_write(): Write request for 12 bytes to IOD #5 EID 131 [43.143.68.214:80]
NSOCK INFO [11.8470s] nsock_read(): Read request from IOD #5 [43.143.68.214:80] (timeout: 4986ms) EID 138
NSOCK INFO [11.8470s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 131 [43.143.68.214:80]
NSOCK INFO [11.8820s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 138 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [11.8830s] nsock_read(): Read request from IOD #5 [43.143.68.214:80] (timeout: 4950ms) EID 146
NSOCK INFO [11.8830s] nsock_trace_handler_callback(): Callback: READ EOF for EID 146 [43.143.68.214:80]
NSOCK INFO [11.8830s] nsock_iod_delete(): nsock_iod_delete (IOD #5)
NSOCK INFO [11.8830s] nsock_iod_new2(): nsock_iod_new (IOD #6)
NSOCK INFO [11.8830s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #6) EID 152
NSOCK INFO [11.9230s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 152 [43.143.68.214:80]
Service scan sending probe FourOhFourRequest to 43.143.68.214:80 (tcp)
NSOCK INFO [11.9230s] nsock_write(): Write request for 53 bytes to IOD #6 EID 163 [43.143.68.214:80]
NSOCK INFO [11.9230s] nsock_read(): Read request from IOD #6 [43.143.68.214:80] (timeout: 5000ms) EID 170
NSOCK INFO [11.9230s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 163 [43.143.68.214:80]
NSOCK INFO [11.9650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 170 [43.143.68.214:80] (415 bytes)
NSOCK INFO [11.9670s] nsock_read(): Read request from IOD #6 [43.143.68.214:80] (timeout: 4956ms) EID 178
NSOCK INFO [11.9670s] nsock_trace_handler_callback(): Callback: READ EOF for EID 178 [43.143.68.214:80]
NSOCK INFO [11.9670s] nsock_iod_delete(): nsock_iod_delete (IOD #6)
NSOCK INFO [11.9670s] nsock_iod_new2(): nsock_iod_new (IOD #7)
NSOCK INFO [11.9670s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #7) EID 184
NSOCK INFO [12.0080s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 184 [43.143.68.214:80]
Service scan sending probe GenericLines to 43.143.68.214:80 (tcp)
NSOCK INFO [12.0090s] nsock_write(): Write request for 4 bytes to IOD #7 EID 195 [43.143.68.214:80]
NSOCK INFO [12.0090s] nsock_read(): Read request from IOD #7 [43.143.68.214:80] (timeout: 4999ms) EID 202
NSOCK INFO [12.0090s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 195 [43.143.68.214:80]
NSOCK INFO [17.0110s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 202 [43.143.68.214:80]
NSOCK INFO [17.0110s] nsock_iod_delete(): nsock_iod_delete (IOD #7)
NSOCK INFO [17.0110s] nsock_iod_new2(): nsock_iod_new (IOD #8)
NSOCK INFO [17.0110s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #8) EID 208
NSOCK INFO [17.0450s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 208 [43.143.68.214:80]
Service scan sending probe RPCCheck to 43.143.68.214:80 (tcp)
NSOCK INFO [17.0580s] nsock_write(): Write request for 44 bytes to IOD #8 EID 219 [43.143.68.214:80]
NSOCK INFO [17.0580s] nsock_read(): Read request from IOD #8 [43.143.68.214:80] (timeout: 4987ms) EID 226
NSOCK INFO [17.0580s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 219 [43.143.68.214:80]
NSOCK INFO [17.0930s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 226 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.0930s] nsock_read(): Read request from IOD #8 [43.143.68.214:80] (timeout: 4952ms) EID 234
NSOCK INFO [17.0930s] nsock_trace_handler_callback(): Callback: READ EOF for EID 234 [43.143.68.214:80]
NSOCK INFO [17.0930s] nsock_iod_delete(): nsock_iod_delete (IOD #8)
NSOCK INFO [17.0930s] nsock_iod_new2(): nsock_iod_new (IOD #9)
NSOCK INFO [17.0930s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #9) EID 240
NSOCK INFO [17.1290s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 240 [43.143.68.214:80]
Service scan sending probe DNSVersionBindReqTCP to 43.143.68.214:80 (tcp)
NSOCK INFO [17.1300s] nsock_write(): Write request for 32 bytes to IOD #9 EID 251 [43.143.68.214:80]
NSOCK INFO [17.1300s] nsock_read(): Read request from IOD #9 [43.143.68.214:80] (timeout: 4999ms) EID 258
NSOCK INFO [17.1300s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 251 [43.143.68.214:80]
NSOCK INFO [17.1650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 258 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.1670s] nsock_read(): Read request from IOD #9 [43.143.68.214:80] (timeout: 4962ms) EID 266
NSOCK INFO [17.1670s] nsock_trace_handler_callback(): Callback: READ EOF for EID 266 [43.143.68.214:80]
NSOCK INFO [17.1670s] nsock_iod_delete(): nsock_iod_delete (IOD #9)
NSOCK INFO [17.1670s] nsock_iod_new2(): nsock_iod_new (IOD #10)
NSOCK INFO [17.1670s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #10) EID 272
NSOCK INFO [17.2010s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 272 [43.143.68.214:80]
Service scan sending probe DNSStatusRequestTCP to 43.143.68.214:80 (tcp)
NSOCK INFO [17.2130s] nsock_write(): Write request for 14 bytes to IOD #10 EID 283 [43.143.68.214:80]
NSOCK INFO [17.2130s] nsock_read(): Read request from IOD #10 [43.143.68.214:80] (timeout: 4988ms) EID 290
NSOCK INFO [17.2130s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 283 [43.143.68.214:80]
NSOCK INFO [17.2460s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 290 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.2480s] nsock_read(): Read request from IOD #10 [43.143.68.214:80] (timeout: 4953ms) EID 298
NSOCK INFO [17.2480s] nsock_trace_handler_callback(): Callback: READ EOF for EID 298 [43.143.68.214:80]
NSOCK INFO [17.2480s] nsock_iod_delete(): nsock_iod_delete (IOD #10)
NSOCK INFO [17.2480s] nsock_iod_new2(): nsock_iod_new (IOD #11)
NSOCK INFO [17.2480s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #11) EID 304
NSOCK INFO [17.2840s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 304 [43.143.68.214:80]
Service scan sending probe Help to 43.143.68.214:80 (tcp)
NSOCK INFO [17.2840s] nsock_write(): Write request for 6 bytes to IOD #11 EID 315 [43.143.68.214:80]
NSOCK INFO [17.2840s] nsock_read(): Read request from IOD #11 [43.143.68.214:80] (timeout: 7500ms) EID 322
NSOCK INFO [17.2840s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 315 [43.143.68.214:80]
NSOCK INFO [17.3210s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 322 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.3210s] nsock_read(): Read request from IOD #11 [43.143.68.214:80] (timeout: 7463ms) EID 330
NSOCK INFO [17.3210s] nsock_trace_handler_callback(): Callback: READ EOF for EID 330 [43.143.68.214:80]
NSOCK INFO [17.3210s] nsock_iod_delete(): nsock_iod_delete (IOD #11)
NSOCK INFO [17.3210s] nsock_iod_new2(): nsock_iod_new (IOD #12)
NSOCK INFO [17.3210s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #12) EID 336
NSOCK INFO [17.3630s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 336 [43.143.68.214:80]
Service scan sending probe SSLSessionReq to 43.143.68.214:80 (tcp)
NSOCK INFO [17.3840s] nsock_write(): Write request for 88 bytes to IOD #12 EID 347 [43.143.68.214:80]
NSOCK INFO [17.3840s] nsock_read(): Read request from IOD #12 [43.143.68.214:80] (timeout: 4979ms) EID 354
NSOCK INFO [17.3840s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 347 [43.143.68.214:80]
NSOCK INFO [17.4250s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 354 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.4270s] nsock_read(): Read request from IOD #12 [43.143.68.214:80] (timeout: 4936ms) EID 362
NSOCK INFO [17.4270s] nsock_trace_handler_callback(): Callback: READ EOF for EID 362 [43.143.68.214:80]
NSOCK INFO [17.4270s] nsock_iod_delete(): nsock_iod_delete (IOD #12)
NSOCK INFO [17.4270s] nsock_iod_new2(): nsock_iod_new (IOD #13)
NSOCK INFO [17.4270s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #13) EID 368
NSOCK INFO [17.4600s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 368 [43.143.68.214:80]
Service scan sending probe TerminalServerCookie to 43.143.68.214:80 (tcp)
NSOCK INFO [17.4600s] nsock_write(): Write request for 42 bytes to IOD #13 EID 379 [43.143.68.214:80]
NSOCK INFO [17.4600s] nsock_read(): Read request from IOD #13 [43.143.68.214:80] (timeout: 5000ms) EID 386
NSOCK INFO [17.4600s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 379 [43.143.68.214:80]
NSOCK INFO [17.4940s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 386 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.4950s] nsock_read(): Read request from IOD #13 [43.143.68.214:80] (timeout: 4965ms) EID 394
NSOCK INFO [17.4950s] nsock_trace_handler_callback(): Callback: READ EOF for EID 394 [43.143.68.214:80]
NSOCK INFO [17.4950s] nsock_iod_delete(): nsock_iod_delete (IOD #13)
NSOCK INFO [17.4950s] nsock_iod_new2(): nsock_iod_new (IOD #14)
NSOCK INFO [17.4950s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #14) EID 400
NSOCK INFO [17.5290s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 400 [43.143.68.214:80]
Service scan sending probe TLSSessionReq to 43.143.68.214:80 (tcp)
NSOCK INFO [17.5290s] nsock_write(): Write request for 110 bytes to IOD #14 EID 411 [43.143.68.214:80]
NSOCK INFO [17.5290s] nsock_read(): Read request from IOD #14 [43.143.68.214:80] (timeout: 5000ms) EID 418
NSOCK INFO [17.5290s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 411 [43.143.68.214:80]
NSOCK INFO [17.5630s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 418 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.5650s] nsock_read(): Read request from IOD #14 [43.143.68.214:80] (timeout: 4964ms) EID 426
NSOCK INFO [17.5650s] nsock_trace_handler_callback(): Callback: READ EOF for EID 426 [43.143.68.214:80]
NSOCK INFO [17.5650s] nsock_iod_delete(): nsock_iod_delete (IOD #14)
NSOCK INFO [17.5650s] nsock_iod_new2(): nsock_iod_new (IOD #15)
NSOCK INFO [17.5650s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #15) EID 432
NSOCK INFO [17.6000s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 432 [43.143.68.214:80]
Service scan sending probe Kerberos to 43.143.68.214:80 (tcp)
NSOCK INFO [17.6180s] nsock_write(): Write request for 117 bytes to IOD #15 EID 443 [43.143.68.214:80]
NSOCK INFO [17.6180s] nsock_read(): Read request from IOD #15 [43.143.68.214:80] (timeout: 4982ms) EID 450
NSOCK INFO [17.6180s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 443 [43.143.68.214:80]
NSOCK INFO [17.6520s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 450 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.6520s] nsock_read(): Read request from IOD #15 [43.143.68.214:80] (timeout: 4948ms) EID 458
NSOCK INFO [17.6520s] nsock_trace_handler_callback(): Callback: READ EOF for EID 458 [43.143.68.214:80]
NSOCK INFO [17.6520s] nsock_iod_delete(): nsock_iod_delete (IOD #15)
NSOCK INFO [17.6520s] nsock_iod_new2(): nsock_iod_new (IOD #16)
NSOCK INFO [17.6530s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #16) EID 464
NSOCK INFO [17.6970s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 464 [43.143.68.214:80]
Service scan sending probe SMBProgNeg to 43.143.68.214:80 (tcp)
NSOCK INFO [17.6970s] nsock_write(): Write request for 168 bytes to IOD #16 EID 475 [43.143.68.214:80]
NSOCK INFO [17.6970s] nsock_read(): Read request from IOD #16 [43.143.68.214:80] (timeout: 5000ms) EID 482
NSOCK INFO [17.6970s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 475 [43.143.68.214:80]
NSOCK INFO [17.7390s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 482 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.7400s] nsock_read(): Read request from IOD #16 [43.143.68.214:80] (timeout: 4957ms) EID 490
NSOCK INFO [17.7400s] nsock_trace_handler_callback(): Callback: READ EOF for EID 490 [43.143.68.214:80]
NSOCK INFO [17.7400s] nsock_iod_delete(): nsock_iod_delete (IOD #16)
NSOCK INFO [17.7400s] nsock_iod_new2(): nsock_iod_new (IOD #17)
NSOCK INFO [17.7410s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #17) EID 496
NSOCK INFO [17.7730s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 496 [43.143.68.214:80]
Service scan sending probe LPDString to 43.143.68.214:80 (tcp)
NSOCK INFO [17.7880s] nsock_write(): Write request for 9 bytes to IOD #17 EID 507 [43.143.68.214:80]
NSOCK INFO [17.7880s] nsock_read(): Read request from IOD #17 [43.143.68.214:80] (timeout: 4985ms) EID 514
NSOCK INFO [17.7880s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 507 [43.143.68.214:80]
NSOCK INFO [17.8220s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 514 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.8220s] nsock_read(): Read request from IOD #17 [43.143.68.214:80] (timeout: 4951ms) EID 522
NSOCK INFO [17.8230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 522 [43.143.68.214:80]
NSOCK INFO [17.8230s] nsock_iod_delete(): nsock_iod_delete (IOD #17)
NSOCK INFO [17.8230s] nsock_iod_new2(): nsock_iod_new (IOD #18)
NSOCK INFO [17.8230s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #18) EID 528
NSOCK INFO [17.8590s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 528 [43.143.68.214:80]
Service scan sending probe LDAPSearchReq to 43.143.68.214:80 (tcp)
NSOCK INFO [17.8590s] nsock_write(): Write request for 51 bytes to IOD #18 EID 539 [43.143.68.214:80]
NSOCK INFO [17.8590s] nsock_read(): Read request from IOD #18 [43.143.68.214:80] (timeout: 5000ms) EID 546
NSOCK INFO [17.8590s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 539 [43.143.68.214:80]
NSOCK INFO [17.8940s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 546 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.8950s] nsock_read(): Read request from IOD #18 [43.143.68.214:80] (timeout: 4964ms) EID 554
NSOCK INFO [17.8950s] nsock_trace_handler_callback(): Callback: READ EOF for EID 554 [43.143.68.214:80]
NSOCK INFO [17.8950s] nsock_iod_delete(): nsock_iod_delete (IOD #18)
NSOCK INFO [17.8950s] nsock_iod_new2(): nsock_iod_new (IOD #19)
NSOCK INFO [17.8950s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #19) EID 560
NSOCK INFO [17.9300s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 560 [43.143.68.214:80]
Service scan sending probe LDAPBindReq to 43.143.68.214:80 (tcp)
NSOCK INFO [17.9420s] nsock_write(): Write request for 14 bytes to IOD #19 EID 571 [43.143.68.214:80]
NSOCK INFO [17.9420s] nsock_read(): Read request from IOD #19 [43.143.68.214:80] (timeout: 4988ms) EID 578
NSOCK INFO [17.9420s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 571 [43.143.68.214:80]
NSOCK INFO [17.9780s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 578 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [17.9780s] nsock_read(): Read request from IOD #19 [43.143.68.214:80] (timeout: 4952ms) EID 586
NSOCK INFO [17.9780s] nsock_trace_handler_callback(): Callback: READ EOF for EID 586 [43.143.68.214:80]
NSOCK INFO [17.9780s] nsock_iod_delete(): nsock_iod_delete (IOD #19)
NSOCK INFO [17.9780s] nsock_iod_new2(): nsock_iod_new (IOD #20)
NSOCK INFO [17.9780s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #20) EID 592
NSOCK INFO [18.0160s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 592 [43.143.68.214:80]
Service scan sending probe SIPOptions to 43.143.68.214:80 (tcp)
NSOCK INFO [18.0160s] nsock_write(): Write request for 223 bytes to IOD #20 EID 603 [43.143.68.214:80]
NSOCK INFO [18.0160s] nsock_read(): Read request from IOD #20 [43.143.68.214:80] (timeout: 7500ms) EID 610
NSOCK INFO [18.0160s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 603 [43.143.68.214:80]
NSOCK INFO [18.0520s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 610 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.0540s] nsock_read(): Read request from IOD #20 [43.143.68.214:80] (timeout: 7462ms) EID 618
NSOCK INFO [18.0540s] nsock_trace_handler_callback(): Callback: READ EOF for EID 618 [43.143.68.214:80]
NSOCK INFO [18.0540s] nsock_iod_delete(): nsock_iod_delete (IOD #20)
NSOCK INFO [18.0540s] nsock_iod_new2(): nsock_iod_new (IOD #21)
NSOCK INFO [18.0540s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #21) EID 624
NSOCK INFO [18.0890s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 624 [43.143.68.214:80]
Service scan sending probe LANDesk-RC to 43.143.68.214:80 (tcp)
NSOCK INFO [18.1140s] nsock_write(): Write request for 16 bytes to IOD #21 EID 635 [43.143.68.214:80]
NSOCK INFO [18.1140s] nsock_read(): Read request from IOD #21 [43.143.68.214:80] (timeout: 4975ms) EID 642
NSOCK INFO [18.1140s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 635 [43.143.68.214:80]
NSOCK INFO [18.1510s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 642 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.1510s] nsock_read(): Read request from IOD #21 [43.143.68.214:80] (timeout: 4938ms) EID 650
NSOCK INFO [18.1510s] nsock_trace_handler_callback(): Callback: READ EOF for EID 650 [43.143.68.214:80]
NSOCK INFO [18.1510s] nsock_iod_delete(): nsock_iod_delete (IOD #21)
NSOCK INFO [18.1510s] nsock_iod_new2(): nsock_iod_new (IOD #22)
NSOCK INFO [18.1510s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #22) EID 656
NSOCK INFO [18.1870s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 656 [43.143.68.214:80]
Service scan sending probe TerminalServer to 43.143.68.214:80 (tcp)
NSOCK INFO [18.2050s] nsock_write(): Write request for 11 bytes to IOD #22 EID 667 [43.143.68.214:80]
NSOCK INFO [18.2050s] nsock_read(): Read request from IOD #22 [43.143.68.214:80] (timeout: 4982ms) EID 674
NSOCK INFO [18.2050s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 667 [43.143.68.214:80]
NSOCK INFO [18.2400s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 674 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.2410s] nsock_read(): Read request from IOD #22 [43.143.68.214:80] (timeout: 4946ms) EID 682
NSOCK INFO [18.2410s] nsock_trace_handler_callback(): Callback: READ EOF for EID 682 [43.143.68.214:80]
NSOCK INFO [18.2410s] nsock_iod_delete(): nsock_iod_delete (IOD #22)
NSOCK INFO [18.2410s] nsock_iod_new2(): nsock_iod_new (IOD #23)
NSOCK INFO [18.2410s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #23) EID 688
NSOCK INFO [18.2820s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 688 [43.143.68.214:80]
Service scan sending probe NCP to 43.143.68.214:80 (tcp)
NSOCK INFO [18.2830s] nsock_write(): Write request for 23 bytes to IOD #23 EID 699 [43.143.68.214:80]
NSOCK INFO [18.2830s] nsock_read(): Read request from IOD #23 [43.143.68.214:80] (timeout: 4999ms) EID 706
NSOCK INFO [18.2830s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 699 [43.143.68.214:80]
NSOCK INFO [18.5460s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 706 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.5470s] nsock_read(): Read request from IOD #23 [43.143.68.214:80] (timeout: 4735ms) EID 714
NSOCK INFO [18.5480s] nsock_trace_handler_callback(): Callback: READ EOF for EID 714 [43.143.68.214:80]
NSOCK INFO [18.5480s] nsock_iod_delete(): nsock_iod_delete (IOD #23)
NSOCK INFO [18.5480s] nsock_iod_new2(): nsock_iod_new (IOD #24)
NSOCK INFO [18.5480s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #24) EID 720
NSOCK INFO [18.5890s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 720 [43.143.68.214:80]
Service scan sending probe NotesRPC to 43.143.68.214:80 (tcp)
NSOCK INFO [18.6080s] nsock_write(): Write request for 60 bytes to IOD #24 EID 731 [43.143.68.214:80]
NSOCK INFO [18.6080s] nsock_read(): Read request from IOD #24 [43.143.68.214:80] (timeout: 4981ms) EID 738
NSOCK INFO [18.6080s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 731 [43.143.68.214:80]
NSOCK INFO [18.6520s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 738 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.6530s] nsock_read(): Read request from IOD #24 [43.143.68.214:80] (timeout: 4936ms) EID 746
NSOCK INFO [18.6530s] nsock_trace_handler_callback(): Callback: READ EOF for EID 746 [43.143.68.214:80]
NSOCK INFO [18.6530s] nsock_iod_delete(): nsock_iod_delete (IOD #24)
NSOCK INFO [18.6530s] nsock_iod_new2(): nsock_iod_new (IOD #25)
NSOCK INFO [18.6530s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #25) EID 752
NSOCK INFO [18.6870s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 752 [43.143.68.214:80]
Service scan sending probe JavaRMI to 43.143.68.214:80 (tcp)
NSOCK INFO [18.6870s] nsock_write(): Write request for 7 bytes to IOD #25 EID 763 [43.143.68.214:80]
NSOCK INFO [18.6870s] nsock_read(): Read request from IOD #25 [43.143.68.214:80] (timeout: 5000ms) EID 770
NSOCK INFO [18.6870s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 763 [43.143.68.214:80]
NSOCK INFO [18.7210s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 770 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.7220s] nsock_read(): Read request from IOD #25 [43.143.68.214:80] (timeout: 4965ms) EID 778
NSOCK INFO [18.7220s] nsock_trace_handler_callback(): Callback: READ EOF for EID 778 [43.143.68.214:80]
NSOCK INFO [18.7220s] nsock_iod_delete(): nsock_iod_delete (IOD #25)
NSOCK INFO [18.7220s] nsock_iod_new2(): nsock_iod_new (IOD #26)
NSOCK INFO [18.7220s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #26) EID 784
NSOCK INFO [18.7560s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 784 [43.143.68.214:80]
Service scan sending probe WMSRequest to 43.143.68.214:80 (tcp)
NSOCK INFO [18.7800s] nsock_write(): Write request for 175 bytes to IOD #26 EID 795 [43.143.68.214:80]
NSOCK INFO [18.7800s] nsock_read(): Read request from IOD #26 [43.143.68.214:80] (timeout: 4976ms) EID 802
NSOCK INFO [18.7800s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 795 [43.143.68.214:80]
NSOCK INFO [18.8140s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 802 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.8150s] nsock_read(): Read request from IOD #26 [43.143.68.214:80] (timeout: 4941ms) EID 810
NSOCK INFO [18.8150s] nsock_trace_handler_callback(): Callback: READ EOF for EID 810 [43.143.68.214:80]
NSOCK INFO [18.8150s] nsock_iod_delete(): nsock_iod_delete (IOD #26)
NSOCK INFO [18.8150s] nsock_iod_new2(): nsock_iod_new (IOD #27)
NSOCK INFO [18.8150s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #27) EID 816
NSOCK INFO [18.8500s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 816 [43.143.68.214:80]
Service scan sending probe oracle-tns to 43.143.68.214:80 (tcp)
NSOCK INFO [18.8740s] nsock_write(): Write request for 90 bytes to IOD #27 EID 827 [43.143.68.214:80]
NSOCK INFO [18.8750s] nsock_read(): Read request from IOD #27 [43.143.68.214:80] (timeout: 4976ms) EID 834
NSOCK INFO [18.8750s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 827 [43.143.68.214:80]
NSOCK INFO [18.9090s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 834 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [18.9100s] nsock_read(): Read request from IOD #27 [43.143.68.214:80] (timeout: 4940ms) EID 842
NSOCK INFO [18.9110s] nsock_trace_handler_callback(): Callback: READ EOF for EID 842 [43.143.68.214:80]
NSOCK INFO [18.9110s] nsock_iod_delete(): nsock_iod_delete (IOD #27)
NSOCK INFO [18.9110s] nsock_iod_new2(): nsock_iod_new (IOD #28)
NSOCK INFO [18.9110s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #28) EID 848
NSOCK INFO [18.9460s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 848 [43.143.68.214:80]
Service scan sending probe ms-sql-s to 43.143.68.214:80 (tcp)
NSOCK INFO [18.9670s] nsock_write(): Write request for 52 bytes to IOD #28 EID 859 [43.143.68.214:80]
NSOCK INFO [18.9670s] nsock_read(): Read request from IOD #28 [43.143.68.214:80] (timeout: 4979ms) EID 866
NSOCK INFO [18.9670s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 859 [43.143.68.214:80]
NSOCK INFO [19.0000s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 866 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [19.0010s] nsock_read(): Read request from IOD #28 [43.143.68.214:80] (timeout: 4945ms) EID 874
NSOCK INFO [19.0010s] nsock_trace_handler_callback(): Callback: READ EOF for EID 874 [43.143.68.214:80]
NSOCK INFO [19.0010s] nsock_iod_delete(): nsock_iod_delete (IOD #28)
NSOCK INFO [19.0010s] nsock_iod_new2(): nsock_iod_new (IOD #29)
NSOCK INFO [19.0010s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #29) EID 880
NSOCK INFO [19.0360s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 880 [43.143.68.214:80]
Service scan sending probe afp to 43.143.68.214:80 (tcp)
NSOCK INFO [19.0600s] nsock_write(): Write request for 18 bytes to IOD #29 EID 891 [43.143.68.214:80]
NSOCK INFO [19.0600s] nsock_read(): Read request from IOD #29 [43.143.68.214:80] (timeout: 4976ms) EID 898
NSOCK INFO [19.0600s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 891 [43.143.68.214:80]
NSOCK INFO [19.0940s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 898 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [19.0940s] nsock_read(): Read request from IOD #29 [43.143.68.214:80] (timeout: 4942ms) EID 906
NSOCK INFO [19.0940s] nsock_trace_handler_callback(): Callback: READ EOF for EID 906 [43.143.68.214:80]
NSOCK INFO [19.0940s] nsock_iod_delete(): nsock_iod_delete (IOD #29)
NSOCK INFO [19.0940s] nsock_iod_new2(): nsock_iod_new (IOD #30)
NSOCK INFO [19.0950s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #30) EID 912
NSOCK INFO [19.1300s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 912 [43.143.68.214:80]
Service scan sending probe giop to 43.143.68.214:80 (tcp)
NSOCK INFO [19.1540s] nsock_write(): Write request for 48 bytes to IOD #30 EID 923 [43.143.68.214:80]
NSOCK INFO [19.1540s] nsock_read(): Read request from IOD #30 [43.143.68.214:80] (timeout: 4976ms) EID 930
NSOCK INFO [19.1540s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 923 [43.143.68.214:80]
NSOCK INFO [19.1880s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 930 [43.143.68.214:80] (47 bytes): HTTP/1.1 400 Bad Request..Connection: close....
NSOCK INFO [19.1900s] nsock_read(): Read request from IOD #30 [43.143.68.214:80] (timeout: 4940ms) EID 938
NSOCK INFO [19.1900s] nsock_trace_handler_callback(): Callback: READ EOF for EID 938 [43.143.68.214:80]
NSOCK INFO [19.1900s] nsock_iod_delete(): nsock_iod_delete (IOD #30)
NSE: Script scanning 43.143.68.214.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting https-redirect against 7erry.com (43.143.68.214:80).
NSE: Finished https-redirect against 7erry.com (43.143.68.214:80).
NSE: Starting skypev2-version against 7erry.com (43.143.68.214:80).
NSE: Finished skypev2-version against 7erry.com (43.143.68.214:80).
NSE: Starting weblogic-t3-info against 7erry.com (43.143.68.214:80).
NSOCK INFO [19.1900s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [19.1920s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #1) EID 8
NSE: Starting fingerprint-strings against 7erry.com (43.143.68.214:80).
NSE: Finished fingerprint-strings against 7erry.com (43.143.68.214:80).
NSE: Starting vmware-version against 7erry.com (43.143.68.214:80).
NSOCK INFO [19.1920s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [19.1940s] nsock_connect_tcp(): TCP connection requested to 43.143.68.214:80 (IOD #2) EID 16
NSE: Starting http-trane-info against 7erry.com (43.143.68.214:80).
NSE: Starting hnap-info against 7erry.com (43.143.68.214:80).
NSE: Finished weblogic-t3-info against 7erry.com (43.143.68.214:80).
NSE: [vmware-version 43.143.68.214:80] Couldn't download file: /sdk
NSE: Finished vmware-version against 7erry.com (43.143.68.214:80).
NSE: [http-trane-info 43.143.68.214:80] HTTP: Host returns proper 404 result.
NSE: [hnap-info 43.143.68.214:80] HTTP: Host returns proper 404 result.
NSE: Finished http-trane-info against 7erry.com (43.143.68.214:80).
NSE: Finished hnap-info against 7erry.com (43.143.68.214:80).
NSE: Starting runlevel 2 (of 2) scan.
NSE: Starting rpc-grind against 7erry.com (43.143.68.214:80).
NSE: Starting http-server-header against 7erry.com (43.143.68.214:80).
NSE: Finished http-server-header against 7erry.com (43.143.68.214:80).
NSE: [rpc-grind 43.143.68.214:80] isRPC didn't receive response.
NSE: [rpc-grind 43.143.68.214:80] Target port 80 is not a RPC port.
NSE: Finished rpc-grind against 7erry.com (43.143.68.214:80).
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.036s latency).
Scanned at 2023-12-16 19:09:24 中国标准时间 for 20s
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=12/16%Time=657D856F%P=i686-pc-windows-windows%r
SF:(GetRequest,3728,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:09
SF::38\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"\x20rel=\"icon\">
SF:\n\x20\x20\n\x20\x20\n\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/cs
SF:s/bootstrap\.min\.css\"\x20media=\"screen\"\x20type=\"text/css\">\n\x20
SF:\x20<link\x20rel=\"stylesheet\"\x20href=\"/css/font-awesome\.css\"\x20m
SF:edia=\"screen\"\x20type=\"text/css\">\n\x20\x20<link\x20rel=\"styleshee
SF:t\"\x20href=\"/css/style\.css\"\x20media=\"screen\"\x20type=\"text/css\
SF:">\n\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/css/responsive\.css\
SF:"\x20media=\"screen\"\x20type=\"text/css\">\n\x20\x20<link\x20rel=\"sty
SF:lesheet\"\x20href=\"/css/highlight")%r(HTTPOptions,180,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\
SF:x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nConte
SF:nt-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDa
SF:te:\x20Sat,\x2016\x20Dec\x202023\x2011:09:38\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x2
SF:0charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
SF:\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSPRequest,2F,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(X11Probe
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Power
SF:ed-By:\x20Hexo\r\nContent-Security-Policy:\x20default-src\x20'none'\r\n
SF:X-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20ch
SF:arset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20Sat,\x2016\x20Dec\x20
SF:2023\x2011:09:39\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm
SF:l>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>
SF:Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\x20/nice%20ports%2C/
SF:Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n")%r(RPCCheck,2F,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVers
SF:ionBindReqTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nConnection:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HT
SF:TP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(Te
SF:rminalServerCookie,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection
SF::\x20close\r\n\r\n")%r(TLSSessionReq,2F,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nConnection:\x20close\r\n\r\n")%r(Kerberos,2F,"HTTP/1\.1\x20400\
SF:x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(SMBProgNeg,2F,"HT
SF:TP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(LP
SF:DString,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(LDAPSearchReq,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:nection:\x20close\r\n\r\n")%r(LDAPBindReq,2F,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nConnection:\x20close\r\n\r\n")%r(SIPOptions,2F,"HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(LANDesk-RC
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(TerminalServer,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnectio
SF:n:\x20close\r\n\r\n")%r(NCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:onnection:\x20close\r\n\r\n")%r(NotesRPC,2F,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nConnection:\x20close\r\n\r\n")%r(JavaRMI,2F,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(WMSRequest,2F,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r
SF:(oracle-tns,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20cl
SF:ose\r\n\r\n")%r(ms-sql-s,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConn
SF:ection:\x20close\r\n\r\n")%r(afp,2F,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\nConnection:\x20close\r\n\r\n")%r(giop,2F,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nConnection:\x20close\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Final times for host: srtt: 36169 rttvar: 8984  to: 100000

Read from E:\Hack\Nmsp\Nmap: nmap-protocols nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.77 seconds

RPC扫描

使用-sR选项参数可以进行RPC扫描，对所有被发现开放的端口执行SunRPC程序Null命令，来确认他们是否为RPC端口，如果是RPC端口则返回程序和版本号

❯ nmap -sS -sR 7erry.com
WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:11 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.053s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=12/16%Time=657D860D%P=i686-pc-windows-windows%r
SF:(GetRequest,1610,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20Hexo\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:12
SF::16\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML>\n<html>\n<
SF:head>\n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<meta\x20http-equiv
SF:=\"pragma\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"cac
SF:he-control\"\x20content=\"no-cache\">\n\x20\x20<meta\x20http-equiv=\"ex
SF:pires\"\x20content=\"0\">\n\x20\x20\n\x20\x20<title>JeRyWu&#39;s\x20Web
SF:site</title>\n\x20\x20<meta\x20name=\"author\"\x20content=\"JeRyWu\">\n
SF:\x20\x20\n\x20\x20<meta\x20name=\"description\"\x20content=\"I\x20am\x2
SF:0JeRyWu\x20,\x20An\x20ACG\x20lover\x20and\x20a\x20Geek\x20Style\x20Tech
SF:\x20lover,who\x20is\x20willing\x20to\x20spend\x20lifelong\x20time\x20wi
SF:th\x20them\">\n\x20\x20\n\x20\x20\n\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1,\x20maximum-scale=1\
SF:">\n\n\x20\x20\n\x20\x20<meta\x20property=\"og:site_name\"\x20content=\
SF:"JeRyWu&#39;s\x20Website\"/>\n\n\x20\x20\n\x20\x20\x20\x20<meta\x20prop
SF:erty=\"og:image\"\x20content=\"\"/>\n\x20\x20\n\n\x20\x20\n\x20\x20\x20
SF:\x20<link\x20rel=\"alternative\"\x20href=\"/atom\.xml\"\x20title=\"JeRy
SF:Wu&#39;s\x20Website\"\x20type=\"application/atom\+xml\">\n\x20\x20\n\x2
SF:0\x20\n\x20\x20\x20\x20<link\x20href=\"/favicon\.ico\"")%r(HTTPOptions,
SF:180,"HTTP/1\.1\x20404\x20Not\x20Found\r\nX-Powered-By:\x20Hexo\r\nConte
SF:nt-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-
SF:Length:\x20143\r\nDate:\x20Sat,\x2016\x20Dec\x202023\x2011:12:16\x20GMT
SF:\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\
SF:">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\
SF:n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSP
SF:Request,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,19F,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\nX-Powered-By:\x20Hexo\r\nContent-Security-Policy:\x20defau
SF:lt-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20174\r\nDate:\x20S
SF:at,\x2016\x20Dec\x202023\x2011:12:17\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset
SF:=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20GET\
SF:x20/nice%20ports%2C/Tri%6Eity\.txt%2ebak</pre>\n</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.57 seconds

操作系统探测

不同的操作系统发送网络请求的默认TTL不同，TCP报文的ACK序号的处理方式也不同，ICMP报文的相应也不同，这些操作系统的相应特征为Nmap的操作系统探测提供了很大的帮助。Nmap可以通过-O选项参数对扫描目标进行操作系统探测，并可以通过--osscan-guess或--fuzzy选项参数在不确定扫描目标操作系统时猜测目标的操作系统

❯ nmap -O 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:21 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.037s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
Device type: general purpose|storage-misc|firewall|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (86%), Synology DiskStation Manager 5.X (85%), WatchGuard Fireware 11.X (85%), Tandberg embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.1 cpe:/o:linux:linux_kernel:4.2 cpe:/o:watchguard:fireware:11.8 cpe:/h:tandberg:vcs
Aggressive OS guesses: Linux 2.6.32 or 3.10 (86%), Synology DiskStation Manager 5.1 (85%), Linux 2.6.35 (85%), Linux 2.6.32 (85%), Linux 2.6.39 (85%), Linux 3.10 - 3.12 (85%), Linux 3.5 (85%), Linux 4.2 (85%), Linux 4.4 (85%), WatchGuard Fireware 11.8 (85%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.57 seconds

可以发现Nmap无法确定我的服务器的操作系统版本，但给出了操作系统可能是哪些版本与对应的可能性，如果我们加上--fuzzy选项

❯ nmap -O -fuzzy 7erry.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-16 19:25 中国标准时间
Nmap scan report for 7erry.com (43.143.68.214)
Host is up (0.043s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7777/tcp closed cbt
Device type: storage-misc
Running (JUST GUESSING): Linux (85%), Synology DiskStation Manager 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.1
Aggressive OS guesses: Synology DiskStation Manager 5.1 (85%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds

此时我们得到了Nmap猜测得到的操作系统信息

Todo

• 补充TCP ACK扫描的缺点
• 阅读Maimon扫描的详细内容
• 详细介绍IdleScan原理并复现
• 根据Nmap渗透测试指南第五章及以后的内容与Reference中的博客进一步完善Nmap的高级用法
  • 如何调整探测报文
  • 防火墙/IDS逃逸
  • Nmap信息搜集
  • Nmap渗透测试
    • Nmap数据库渗透测试
  • Zenmap的使用
  • Nmap的保存与文件输出
  • Nmap Tips

Reference

Nmap渗透测试指南 -商广明 ISBN978-7-115-40395-7
Nmap参考指南
黑客工具之Nmap详细使用教程
nmap超详细使用教程
nmap使用指南（终极版）
Idle Scan